North Carolina Office of the State Controller Technology Meeting

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "North Carolina Office of the State Controller Technology Meeting"

Transcription

1 PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security Division of Agio LLC in March As part of our one-year anniversary with Agio (the superior provider of managed IT services for the world s premier alternative investment managers) we re fully adopting the Agio brand. We will continue serving our clients across the financial, government, healthcare, education, commercial, retail and hospitality markets, and now we have the capability to offer a rich portfolio of IT services solutions. As the market continues to seek integrated, single-point-ofcontact providers, this augmentation to our business ensures our clients remain ahead of the curve. Same great people, same great service, but now with so much more 1 1

2 Agio - What We Do Our Security Credentials 20+ years of continuous service as IT Security Consultants and Security VAR 15+ years conducting compliance-based assessments PCI Qualified Security Assessor (QSA) since 2009 PCI Approved Scanning Vendor (ASV) since 2006 HITRUST (HIPAA/HITECH) Certified Practitioners 1 of 9 companies pre-approved by State of NC to conduct assessments for state agencies and higher education Consultants hold many certifications including CISSP, SANS, etc. and have on average 15 years of experience 2

3 PCI Introduction and History PCI Security Standards Council Historical Data PCI DSS created in December 2004 Original Compliance Deadline was June 2005 PCI SSC formed in Sept of 2006 and Version 1.1 of the standard released Version 1.2 released October of 2008 Version 2.0 released October 2010 Currently in use Version 3.0 released October 2013 Goes into effect January 1, 2015 (can be used now) 5 3

4 The Payment Card Industry Data Security Standard (PCI DSS) What is PCI-DSS? 1. It is a private initiative set forth by the Payment Card Industry. 2. A set of standards outlining how sensitive data is handled both operationally and technically. 6 The Payment Card Industry Data Security Standard (PCI DSS) 3. PCI DSS provides protections for all participants in a credit card transaction. 4. Applies to anyone who stores, transmits, or processes cardholder data. 5. Applies to both physical and electronic data, including but not limited to: servers, removable media, backup media, and documents. 7 4

5 PCI: What Does It Protect? The primary account number is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements are applicable if a primary account number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. PCI DSS applies wherever account data is stored, processed or transmitted. Account Data consists of Cardholder Data plus Sensitive Authentication Data. 8 Guidance and Enforcement The Different Roles PCI Security Standards Council Card Brands Feedback QSA ASV Acquirers Report Merchants 9 5

6 PCI: What Can Be Stored and How? Cardholder Data Sensitive Authentication Data Data Element Storage Permitted? Primary Account Yes Yes Number (PAN) Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Full Magnetic Stripe Data No Render Stored Account Data Unreadable Cannot store after authorization CAV2/CVC2/CVV2/CID No Cannot store after authorization PIN/PIN Block No Cannot store after authorization 10 Cardholder Data 11 6

7 PCI DSS Is Not Law Through your Merchant Agreement with your acquiring bank, you are contractually bound to abide by all relevant PCI standards No threat of incarceration for non-compliance with PCI DSS Security Breach Notification Laws See N.C. Gen. Stat which identifies cardholder data as Personally Identifiable Data (PII) which is protected under North Carolina law 12 Possible Fines for Non-compliance First Violation Up to $50,000 Second Violation Up to $100,000 Third Violation Up to Management Discretion Failure to Report a Compromise Up to $100,000 Egregious Violation Up to $500,000 Level 1 Merchant (6,000,000+ transactions per year) Up to $100,000 AND If not compliant after 60 days, MasterCard or Visa additional fines of $10,000 per day (not to exceed $500,000 per year) Level 2 Merchant (150,000 6,000,000 transactions per year) Up to $50,000 AND If not compliant after 60 days, MasterCard or Visa additional fines of $10,000 per day (not to exceed $500,000 per year) Level 3 Merchant (20, ,000 transactions per year) Up to $25,000 AND If not compliant after 60 days, MasterCard or Visa additional fines of $10,000 per day (not to exceed $500,000 per year) 13 7

8 PCI: Technical and Operational Controls Technical Firewalls Intrusion Detection Two-factor Authentication Antivirus Encryption Security Event Logging Operational Policy Security Awareness Training Incident Response Testing Change Control Employee Screening Risk Assessment 14 PCI DSS: 6 Goals with 12 Requirements Build and Maintain A Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain A Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security 15 8

9 Payment Brand Compliance Programs Each payment brand develops and maintains its own PCI DSS compliance programs in accordance with its own security risk management policies American Express: Data Security Operating Policy (DSOP) Discover: Discover Information Security Compliance (DISC) JCB: Data Security Program MasterCard: Site Data Protection (SDP) Visa USA: Cardholder Information Security Program (CISP) Other Visa Regions: Account Information Security (AIS) Program 16 PCI Merchant Levels Merchant Level Level 1 Level 2 Level 3 Level 4 Merchant Definition More than 6 million V/MC transactions annually across all channels, including ecommerce 1,000,000 5,999,999 V/MC transactions annually 20,000 1,000,000 V/MC ecommerce transactions annually Less than 20,000 V/MC ecommerce transactions annually, and all merchants across channel up to 1,000,000 VISA transactions annually Compliance Annual On-site PCI Data Security Assessment and Quarterly Network Scans Annual Self-Assessment and Quarterly Network Scans Annual Self-Assessment and Quarterly Network Scans Annual Self-Assessment and Annual Network Scans 17 9

10 Self Assessment Questionnaire (SAQ) 9 different SAQ s (3 additional since v 2.0) Binary standard: in place or not in place What is your bank/processor asking for? Qualifiers/Disqualifiers Electronic storage of CHD (just because you don t store CHD doesn t necessarily mean you don t have to use SAQ D) Read the Before You Begin section 18 Self Assessment Questionnaire (SAQ) (Cont d) A: Card-not-present Merchants, All CHD functions fully outsourced Completely outsourced to validated third parties A-EP: Partially Outsourced E-commerce Merchants using thirdparty Website for Payment Processing Your e-commerce website does not receive CHD but controls how consumers, or their CHD, are redirected to a validated third-party processor B: Imprint Machines or Standalone dial-out terminals B-IP: IP connected PTS Point-of-interaction (POI) terminals 19 10

11 Self Assessment Questionnaire (SAQ) (Cont d) C: Payment applications connected to the Internet, No CHD storage POS directly connected to the Internet Not connected to any other systems in the environment C-VT: Web-based Virtual Payment Terminals, No CHD storage Manually enter a single transaction at one time Terminal solution is provided and hosted by a validated third-party processor No card readers attached Organization does not transmit CHD through any other channels 20 Self Assessment Questionnaire (SAQ) (Cont d) P2PE-HW: Hardware Payment Terminals in a PCI-Listed P2PE Solution, No CHD The implemented solution is listed on the PCI SSC s list of validated Point-to-Point Encryption solutions D: All other SAQ-Eligible Merchants Network = D D: SAQ-Eligible Service Providers 21 11

12 Common PCI DSS Violations Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data. Inadequate access controls due to improperly installed merchant POS systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3) Default system settings and passwords not changed when system was set up (Requirement 2.1) Unnecessary and insecure services not removed or secured when system was set up (Requirements and 2.2.4) Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the web site (Requirement 6.5); redirect from website Missing and outdated security patches (Requirement 6.1) 22 Common PCI DSS Violations (Cont d) Lack of logging (Requirement 10) Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5) Poorly implemented network segmentation resulting in the cardholder data environment being unknowingly exposed to weaknesses in other parts of the network that have not been secured according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities introduced via employee and web browsing) (Requirements 1.2, 1.3 and 1.4) 23 12

13 What Should I Do? Identify all payment channels (methods of processing payment) Group the Merchant IDs MIDs Location Applications Storage Identify all systems used in the process (scoping) Asset inventory Conduct gap assessment Apply the standard to the in scope systems 24 PCI Compliance PCI-DSS is NOT merely about checking boxes The intent of PCI-DSS is to prevent fraud and protect customers. Requirements must be met, but the goal is to provide robust information security within your organization

14 PCI 3.0 Update The PCI DSS Lifecycle The PCI DSS follows a three-year lifecycle PCI DSS 3.0 was released in October 2013 Optional (but recommended) in 2014; Required in 2015 Lifecycle for Changes to PCI DSS and PA-DSS 8 Final Review May July 1 Standards Published October COMMUNITY MEETING September October 2 Standards Effective January 1 7 Draft Revisions November April COMMUNITY MEETING September October COMMUNITY MEETING September October Market 3 Implementation All Year 6 Feedback Review April August 5 YEAR 2 Old Standards Retired December 31 4 Feedback Begins November 27 14

15 Key Themes Education and awareness Flexibility and consistency Security as a shared responsibility Emerging threats 28 Best Practices for Implementing PCI DSS Into Business As Usual (BAU) Processes Continuous compliance with due diligence needed PCI DSS is not a once-a-year activity Don t forget about the people and processes 29 15

16 Administrative Improvements Enhanced sampling examples and testing procedures for each requirement Enhanced reporting guidance Navigation Guide integrated into PCI DSS v 3.0 New templates (ROC/SAQ) ROC reporting instructions built into the ROC template Easier to complete, more concise Visual queues for when diagrams are needed Policy and procedure requirements moved from Section 12 to each individual section 30 Administrative Improvements (Cont d) Added flexibility to meet requirements: Passwords Web application firewalls File integrity monitoring (FIM) Inventory/labeling options NEW requirements listed in this presentation are either a requirement as of January 1, 2015 or a best practice until June 30, 2015, after which they become mandatory requirements (see list). Note: Cannot mix and match v 2.0 and v 3.0 in 2014 must use one or the other this year 31 16

17 Scoping Guidance Improper scoping leads to increased risk Look at people and process Focus on security, rather than compliance Not a one-time-a-year activity Confirm effectiveness of PCI scope (penetration test) Goal: reduce complexity and create more efficient security Risk assessments as scoping aid 32 Clarifications for Segmentation Isolation is clarified Controlled access means a connection exists, therefore those systems are in scope (AD, AV, DNS, time servers, etc.) Improved language to verify effectiveness 33 17

18 Changes Requirement 1 Build and Maintain a Secure Network and Systems Clarifications: Configuration standards must be documented and implemented (1.1.x) Network diagram & CHD flows ( ) Insecure services, protocols, ports (1.1.6) Securing router configuration files (1.2.2) Wireless access control to CDE (1.2.3) Anti-spoofing (1.3.4) Access to CDE from untrusted networks (1.3.7) Requirement and testing procedures (1.4) 34 Changes Requirement 2 No Vendor Defaults Clarifications: Change all default passwords; remove unnecessary default accounts (2.1) Change all wireless default passwords at installation (2.1.1) Include the above in Configuration Standards (2.2) Enable only necessary/secure services, protocols, and ports ( ) 35 18

19 Changes Requirement 2 No Vendor Defaults NEW Requirement: Maintain an inventory of all systems and components that are in scope for PCI DSS 36 Changes Requirement 3 Protect Stored Cardholder Data (CHD) Clarifications: Data Retention and Disposal (3.1.x) Sensitive Authentication Data (SAD) proper destruction after authorization (3.2) Primary Account Number (PAN) masking (3.3) Separation of OS and Disk-level encryption authentication mechanisms (3.4.1) Key Management procedures (3.5) Provided flexibility with more options for secure storage of cryptographic keys ( ) Testing implementation of crypto key management (3.6.x) Crypto key split-knowledge and key control (3.6.6) 37 19

20 Changes Requirement 4 Encrypt Transmission of CHD Across Untrusted Networks Clarifications: Expanded examples of open public networks (4.1) 38 Changes Requirement 5 Maintain a Vulnerability Management Program Clarifications: Ensure all AV mechanisms are maintained properly (5.2) NEW Requirements: Systems not commonly affected by malware must be evaluated (5.1.2) Ensure AV is running and cannot be disabled/altered (5.3) 39 20

21 Changes Requirement 6 Develop & Maintain Secure Systems and Applications Clarifications: Identifying, risk ranking, and patching critical vulnerabilities ( ) Written software development procedures (6.3) Development and Test environments (6.3.1) Enhanced testing procedures that include document reviews (6.4) Enforce separation of production and development environments with access controls (6.4.1) Updated list of current and emerging coding vulnerabilities and secure coding guidelines (6.5.x) Options beyond Web Application Firewall provided (6.6) 40 Changes Requirement 6 Develop & Maintain Secure Systems and Applications NEW Requirements: Handling of PAN and SAD in memory (6.5) Coding practices to protect against broken authentication and session management (6.5.10) 41 21

22 Changes Requirement 7 Restrict Access to CHD by Business Need-to-Know Clarifications: Revised testing procedures (7.1) Definition of access needs for each role (7.1.1) Restrict Privileged User IDs to least necessary (7.1.2) Assign access based upon role/classification (7.1.3) 42 Changes Requirement 8 Identify and Authenticate Access to System Components Clarifications: User identification (8.1) Remote vendor access (8.1.5) User authentication (8.2) Changed passwords to passphrases/authentication credentials Requirements apply to 3rd Party Vendors Strong cryptography for authentication credentials (8.2.1) Authenticate users prior to modifying credentials (8.2.2) 43 22

23 Changes Requirement 8 Identify and Authenticate Access to System Components Clarifications: Requirements 8.1.1, , 8.2, 8.5, and are not intended to apply to user accounts within a point-of-sale (POS) application that only has access to one card number at a time in order to facilitate a single transaction (such as cashier accounts). Two-factor authentication applies to users, administrators, and all thirdparties (8.3) How to protect authentication credentials (8.4) 44 Changes Requirement 8 Identify and Authenticate Access to System Components NEW Requirements: Options provided beyond passwords (tokens, smart cards, and certificates) for equivalent variations (8.2.3) Service Providers with access to customer environments must use a unique authentication credential (e.g., password) for each customer environment (8.5.1) Physical security tokens must be capable of being linked to an individual account (8.6) 45 23

24 Changes Requirement 9 Restrict Physical Access to Cardholder Data Clarifications: Protection of network jacks (9.1.2) Differentiation between on-site personnel and visitors options made available (9.2.x) Visitor audit trails (9.4.x) 46 Changes Requirement 9 Restrict Physical Access to Cardholder Data NEW Requirements: Control physical access to sensitive areas for on-site personnel (9.3) Protect POS terminals and devices from tampering or substitution (9.9) 47 24

25 Changes Requirement 10 Track and Monitor All Access to Network Resources and Cardholder Data Clarifications: Audit trails linked to individuals (10.1) Clarified the intent and scope of daily log reviews (10.6) 48 Changes Requirement 10 Track and Monitor All Access to Network Resources and Cardholder Data NEW Requirements: All changes to identification and authentication mechanisms and all changes to root or administrator access must be logged (10.2.5) Pausing, stopping, and restarting of audit logs must be logged (10.2.6) 49 25

26 Changes Requirement 11 Regularly Test Security Systems and Processes Clarifications: Added guidance regarding multiple scan reports (11.2) Quarterly internal vulnerability scans must be repeated until a passing scan results (11.2.2) Internal and External scans must be performed after significant changes (11.2.3) Correct all vulnerabilities detected during a Penetration Test (11.3.3) Methods expanded for detecting changes to files (11.5) 50 Changes Requirement 11 Regularly Test Security Systems and Processes NEW Requirements: Have an inventory and business justification for wireless access points (11.1.x) Implement a methodology for penetration testing, and perform penetration tests to verify that the segmentation methods are operational and effective (11.3) Develop process to respond to change detection alerts (11.5.1) 51 26

27 Changes Requirement 12 Maintain a Policy that Addresses Security for all Personnel Clarifications: Policy and procedure requirements moved from Section 12 to each individual section Added options regarding identification (labeling) of devices (12.3.4) Testing of remote access timeouts (12.3.8) Management of Service Providers (12.8) Further defined the components of Incident Response plan (12.10.x) 52 Changes Requirement 12 Maintain a Policy that Addresses Security for all Personnel NEW Requirements: Risk Assessment should be performed at least annually and after significant changes (12.2) Maintain separation of duties for security responsibilities (12.4.1) Clarified essential components of Service Provider agreements (12.8.2) Maintain information about which PCI DSS requirements are managed by service providers and which are managed by the entity (12.8.5). Service providers to acknowledge responsibility for maintaining applicable PCI DSS requirements. (12.9) 53 27

28 Next Steps How to Prepare for 3.0 Review the clarifications to ensure compliance Verify effective segmentation of CDE Look at day-to-day PCI compliance efforts Are configuration standards current? Are diagrams current? Are security procedures current and being followed? Review asset inventory process (2.x); ensure it includes all CDE systems and any wireless access points (11.2) Consider AV options for increased coverage (5.1.2) Ensure AV is locked down (5.3) 54 Next Steps How to Prepare for 3.0 (Cont d) Ensure the Risk Ranking Procedure is documented and followed (6.2) Review PA DSS Implementation Guides How is PAN/SAD stored in memory managed? (6.5.6) Review session management coding practices (6.5.11) Review how service providers are managed Access management - no shared IDs/accounts (8.5.1) Fully PCI compliant (12.8) Review contracts, clearly define responsibilities (12.8.2) Ensure the Service Provider acknowledges responsibilities (12.9) 55 28

29 Next Steps How to Prepare for 3.0 (Cont d) Review security tokens and ensure each is linked to a unique individual (8.6) Review on-site personnel access controls to sensitive areas (9.3) Consider methods to prevent tampering with POS equipment (9.9) Review log security settings (admins, stop/start, etc.) ( ) If wireless is used, document the business justification (11.1) Ensure penetration test methodology is documented (11.3) Ensure vulnerabilities detected are corrected and then retest to ensure compliance for internal scans (11.2.2) and penetration tests (11.3.3) 56 Next Steps How to Prepare for 3.0 (Cont d) Ensure security alerts (FIM/IDS/etc.) are integrated into incident response process (11.5.1) Verify that remote access timeouts are working properly (12.3.8) Verify that risk assessments are performed both annually and after significant changes to CDE are made (12.2) Ensure separation of duties exists for information security (12.4.1) Review and update the incident response plan (12.10) 57 29

30 Questions? PCI Security Awareness Training Thank you! Agio has performed network and application security assessments for over 14 years. Agio is recognized by the Payment Card Industry Security Standards Council (PCI SSC) as both a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV). We are happy to help you with any and all compliance efforts Agio agio.com/security 59 30

31 Contact Us Sherry Worthington Account Manager Laurie Leigh Director of Sales Shawn Ryan Senior Security Engineer and Lead QSA Agio 909 Aviation Parkway, Suite 600 Morrisville, NC phone fax web

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI

More information

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History

More information

Why Is Compliance with PCI DSS Important?

Why Is Compliance with PCI DSS Important? Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 2.0 October 2010 Document Changes Date Version Description October 1, 2008 1.2 October

More information

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP 2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0 Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview

More information

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard

More information

PCI Compliance 3.1. About Us

PCI Compliance 3.1. About Us PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information

Adyen PCI DSS 3.0 Compliance Guide

Adyen PCI DSS 3.0 Compliance Guide Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants

More information

PCI DSS 3.0 and You Are You Ready?

PCI DSS 3.0 and You Are You Ready? PCI DSS 3.0 and You Are You Ready? 2014 STUDENT FINANCIAL SERVICES CONFERENCE Linda Combs combslc@jmu.edu Ron King rking@campusguard.com AGENDA PCI and Bursar Office Role Key Themes in v3.0 Timelines Changes

More information

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security

More information

PCI DSS Compliance. 2015 Information Pack for Merchants

PCI DSS Compliance. 2015 Information Pack for Merchants PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends

More information

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc. PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc. Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information

More information

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name

More information

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard PCI Compliance Crissy Sampier, Longwood University Edward Ko, CampusGuard Agenda Introductions PCI DSS 101 Chip Cards (EMV) Longwood s PCI DSS Journey Breach Statistics Shortcuts to PCI DSS Compliance

More information

Frequently Asked Questions

Frequently Asked Questions PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply

More information

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS CIVICA Conference 22 January 2015 WELCOME AND AGENDA Change is here! PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session

More information

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help

More information

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com

More information

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance

More information

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud

More information

PCI DSS v3.0 SAQ Eligibility

PCI DSS v3.0 SAQ Eligibility http://www.ambersail.com Disclaimer: The information in this document is provided "as is" without warranties of any kind, either express or implied, including, without limitation, implied warranties of

More information

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.

More information

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013 Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition November 2013 Introductions Brian Serra PCI Practice Director Nick Puetz Managing Director - Strategic Services 2013 FishNet Security Inc. All

More information

So you want to take Credit Cards!

So you want to take Credit Cards! So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

PCI Data Security Standards

PCI Data Security Standards PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million

More information

Payment Card Industry Compliance Overview

Payment Card Industry Compliance Overview January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260

More information

How Secure is Your Payment Card Data?

How Secure is Your Payment Card Data? How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has

More information

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key

More information

Credit Card Processing, Point of Sale, ecommerce

Credit Card Processing, Point of Sale, ecommerce Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey HACKS REGULATIONS Greater Risk for Merchants Topics Compliance Changes Scans Self Audits

More information

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements

More information

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

Technology Innovation Programme

Technology Innovation Programme FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk

More information

PCI DSS Presentation University of Cincinnati

PCI DSS Presentation University of Cincinnati PCI DSS Presentation University of Cincinnati Quick PCI Level Set Higher Ed Challenges Getting Compliant Application w/ customers Q& A PCI DSS Payment Card Industry Data Security Standard What is the PCI

More information

What s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

What s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or

More information

PCI Risks and Compliance Considerations

PCI Risks and Compliance Considerations PCI Risks and Compliance Considerations July 21, 2015 Stephen Ramminger, Senior Business Operations Manager, ControlScan Jon Uyterlinde, Product Manager, Merchant Services, SVB Agenda 1 2 3 4 5 6 7 8 Introduction

More information

Understanding the SAQs for PCI DSS version 3

Understanding the SAQs for PCI DSS version 3 Understanding the SAQs for PCI DSS version 3 The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS

More information

New PCI Standards Enhance Security of Cardholder Data

New PCI Standards Enhance Security of Cardholder Data December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target

More information

Technical breakout session

Technical breakout session Technical breakout session Small leaks sink great ships Managing data security, fraud and privacy risks Tarlok Birdi, Deloitte Ron Borsholm, WTS May 27, 2009 Agenda 1. PCI overview: the technical intent

More information

Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security

Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the

More information

Two Approaches to PCI-DSS Compliance

Two Approaches to PCI-DSS Compliance Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,

More information

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,

More information

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply

More information

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate. MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document

More information

Your Compliance Classification Level and What it Means

Your Compliance Classification Level and What it Means General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe

More information

Presented By: Bryan Miller CCIE, CISSP

Presented By: Bryan Miller CCIE, CISSP Presented By: Bryan Miller CCIE, CISSP Introduction Why the Need History of PCI Terminology The Current Standard Who Must Be Compliant and When What Makes this Standard Different Roadmap to Compliance

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

HOW SECURE IS YOUR PAYMENT CARD DATA?

HOW SECURE IS YOUR PAYMENT CARD DATA? HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,

More information

PCI Overview. Lee Buttke Director of Consulting QSA, CPISM, CISSP

PCI Overview. Lee Buttke Director of Consulting QSA, CPISM, CISSP PCI Overview Lee Buttke Director of Consulting QSA, CPISM, CISSP About NetSPI Security and compliance consulting solutions for highly regulated markets QSA, PA-QSA, and ASV Higher Education and Retail/Payment

More information

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013 05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of

More information

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,

More information

6-8065 Payment Card Industry Compliance

6-8065 Payment Card Industry Compliance 0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card

More information

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc.

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc. PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina ricklambert@sc.edu Payment Card Industry Data Security Standard (PCI DSS) Who Must

More information

SecurityMetrics Introduction to PCI Compliance

SecurityMetrics Introduction to PCI Compliance SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples

More information

Accounting and Administrative Manual Section 100: Accounting and Finance

Accounting and Administrative Manual Section 100: Accounting and Finance No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security

More information

The State of Security and Compliance for E- Commerce and Retail

The State of Security and Compliance for E- Commerce and Retail The State of Security and Compliance for E- Commerce and Retail Current state of security PCI regulations and compliance Does the data you hold require PCI compliance Security and safeguarding against

More information

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda 2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR

More information

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) The mandatory guide for storing, processing or transmitting cardholder information Overview and applicability Any application

More information

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment

More information

BRAND-NAME is What COUNTS!!!

BRAND-NAME is What COUNTS!!! BRAND-NAME is What COUNTS!!! USE PCI-DSS and make a name for your business Amit Jain Lead Solution Architect Aug 2015 Who We Are WHO WE ARE Company facts and figures ESTABLISHED TRUSTED 1995 BY MORE THAN

More information

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE April 30 th, 2014 Sean Mathena CISSP, CISA, QSA Trustwave Managing Consultant WELCOME AND AGENDA PCI-DSS 3.0 Review the high-level areas that have changed

More information

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card

More information

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?

More information

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data

More information

PCI DSS. CollectorSolutions, Incorporated

PCI DSS. CollectorSolutions, Incorporated PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted

More information

PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1

PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1 PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1 For merchants and other entities involved in payment card processing Contents PCI DSS Quick Reference

More information

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015 Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.1 April 2015 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1

More information

Continuous compliance through good governance

Continuous compliance through good governance PCI DSS Compliance: A step into the payment ecosystem and Nets compliance program Continuous compliance through good governance Who are the PCI SSC? The Payment Card Industry Security Standard Council

More information

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education PCI in Higher Education Walter Conway, QSA 403 Labs, LLC Walt Conway PCI consultant, blogger, trainer, speaker, author Former Visa VP Help schools become PCI compliant Represent Higher Education at PCI

More information

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp

More information

Leveraging PCI to Manage Risks of Accepting Credit Cards. Not-for-Profit Webinar Series March 10, 2015

Leveraging PCI to Manage Risks of Accepting Credit Cards. Not-for-Profit Webinar Series March 10, 2015 Leveraging PCI to Manage Risks of Accepting Credit Cards Not-for-Profit Webinar Series March 10, 2015 Steve Earley, CISA, CISSP, CRISC, CFSA, ITILv3, MCP Senior Manager, IT Audit, Internal Audit and Risk

More information

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows: What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers

More information

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008 Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008 Matthew T. Davis SecureState, LLC mdavis@securestate.com SecureState Founded in 2001, Based on Cleveland Specialized

More information

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.0 November 2013

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.0 November 2013 Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.0 November 2013 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1

More information

Office of Finance and Treasury

Office of Finance and Treasury Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive

More information

White Paper. Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance

White Paper. Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance White Paper Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Executive Overview

More information

Information Technology

Information Technology Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing

More information

AISA Sydney 15 th April 2009

AISA Sydney 15 th April 2009 AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks

More information

Introduction to PCI DSS

Introduction to PCI DSS Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?

More information

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

WHITE PAPER. PCI Basics: What it Takes to Be Compliant WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through

More information

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics Customer PCI 3.0 Changes = New Opportunity For You Giles Witherspoon-Boyd SecurityMetrics Who is this guy? Giles Witherspoon-Boyd, PCIP 15 years in technology, 4 years at SecurityMetrics SecurityMetrics

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

PCI DSS Compliance Guide

PCI DSS Compliance Guide PCI DSS Compliance Guide 2009 Rapid7 PCI DSS Compliance Guide What is the PCI DSS? Negative media coverage, a loss of customer confidence, and the resulting loss in sales can cripple a business. As a result,

More information